search

Integrity Control Access Control List

hashtag
ACE (Access Control Entry)

An ACE specifies permissions or audit settings an user/group has over a securable object.

In case of 2 conflicting ACE for the same user or group, the most restrictive applies

hashtag
ACL (Access Control List)

An ACL is a collection of Access Control Entries (ACE).

On Windows there are 2 types of ACL:

hashtag
DACL (Discretionary Access Control List)

  • Controls who has access to an object and what operations they can perform.

ACE in the DACL are compose

<User or Group> + X <NTFS Permissions> + Y <Inheritance Flags>

hashtag
SACL (System Access Control List)

  • Specifies what types of access should be audited and logged in the security log.

You can query objects' ACL with icacls or Get-ACL

hashtag
NTFS Permissions

Filesystem permissions

  • F: Full Access - Grants all permissions.

  • D: Delete Access - Grants the ability to delete the file/folder.

  • N: No Access - Denies all permissions.

  • M: Modify Access - Grants read, write, and delete permissions.

  • RX: Read and Execute Access - Grants read and execute permissions.

  • R: Read-only Access - Grants read permissions only.

  • W: Write-only Access - Grants write permissions only.

hashtag
Inheritance Flags

  • (CI): Container Inherit - This folder and subfolders

  • (OI): Object Inherit - This folder and files

  • (IO): Inherit only - Not this folder but all its child files & folders

  • (NP): No Propagate - Only immediate child files and folders inherit

  • (I): Inherit - Permission inherited from parent container (usually automatic)

hashtag
Share Permissions

Share permissions are for files & folders accessed over the networks (on shares).

If share and NTFS permissions conflicts, the most restrictive applies.

This article gives more insights => https://www.varonis.com/blog/ntfs-permissions-vs-sharearrow-up-right

  • Read: Users are allowed to view file & subfolder contents

  • Change: Users are permitted to read, edit, delete and add files and subfolders

  • Full Control: : Includes all of the above and allows for permissions to be changed and ownership to be taken.

hashtag
Security Descriptor

A security descriptor contains the security information associated with a securable object:

  • The Owner

  • The primary group (of the owner)

  • A DACL

  • A SACL

hashtag
SDDL (Security Descriptor Definition Language)

SDDL is astandard string notation for representing Security Descriptors in Windows.

To query the security descriptor in SDDL use sc sdshow service

Below an example of a security descriptor in SDDL

PreviousWindows SecurityNextAccess Tokens

Last updated